Durov's Privacy Warning: Why the EU's Age-Verification Plan Could Become a Mass Surveillance Tool

Pavel Durov frequently expresses publicly the thoughts, opinions, and beliefs of the tech industry which many of them may be unwilling to say out loud. His most recent warning should be treated with great caution.

The founder and CEO of Telegram published a post online recently stating his concerns about an EU age-verification application that will determine the age of people attempting to access particular online platforms and/or services. According to Durov, this application is designed to protect children, but he believes this application will functionally serve as a means for creating a surveillance infrastructure and, once built, will be used for much more than verifying a teenager's age.

Durov's concerns are not broadly speaking of a paranoid nature, but rather an architectural nature.

What the EU Is Actually Building

The impetus for this proposal comes as a result of increased pressure on platforms to restrict access by minors to adult content, gambling and some social media features. A number of EU member states have asked for some form of centralised or semi-centralised verification system, or application or digital identity credential that would serve as proof of age for users using various platforms but would have to be submitted to multiple identity verification services.

The rationalisation of a cross-platform approach to age verification presents some surface benefit, but rather than having to perform age verification independently by the platform, and therefore need to collect and hold as many credential documents for identity verification in the datacracy, a single verification of your age could be used as evidence of age across all platforms.

Durov's issue with shared age verification is what is required of you to function in such an environment. To provide for effective and reliable age verification, the system will need to make known to the verifier who the user is. That is, to use a verified governmental issued credentials, bearing your true verified identity. Subsequently, your verification will be linked to all platforms that you use.

Regardless of the privacy protections provided on top of the digital infrastructure, the fundamental nature of this type of verification creates a record of what services you, as a verified user, have accumulated and accessed, creating a ʺbrowsing historyʺ based on your verified identity during the implementation of this type of verification. the app was hackable by design because it blindly trusted the device, and suggested the EU might use the breach as an excuse to strip away the privacy features and turn the whole thing into a broader surveillance tool for social media.

Why This Connects to Crypto and Digital Privacy

The cryptocurrency community has a vested interest in these discussions, even though they might appear to be more about using social media and adult content platforms than anything else.

The core argument in favour of self-custody, decentralized identities, and privacy-preserving technology is for individuals to have control over their own data and credentials. You don't give your passport to a bank to show them you're over 18, you simply show it to them; they check what they need and that's the end of it. The passport is still yours. However, when using a centralised digital verification system, you are giving permission to the people or company doing the verification to log the verification event(s) somewhere, and that log will most likely be used for purposes that will expand over time.

European regulators have already shown they are willing to use access to platform level data as a regulatory tool. The most significant example of this is the, which places very strong obligations on digital content platforms around content moderation and transparency of user data. European Commission If an age-verification requirement is added to that existing body of regulation, then it becomes part of a broader regulatory compliance infrastructure, which will be subject to ongoing access and scrutiny by regulators.

The European Union has made it clear that they would like increased visibility of encrypted communications — a push that and Durov has adamantly opposed and their demands contributed to Durov's legal troubles in France last year. Durov was charged by French prosecutors in August 2024 with enabling organized crime and refusing to cooperate with authorities, with one charge carrying a maximum penalty of 10 years in prison and a fine of 500,000 euros. Durov's skepticism surrounding age verification is not unrelated to these past events, and he sees the same trend occurring again but with better branding.

The Civil Liberties Problem

What the structural nature of this system means for the surveillance aspect is that it doesn't depend on whether or not regulators are acting in bad faith. The structural nature of the surveillance risk indicates it is a problem of the system being built, as opposed to a problem of conspiracies that occur in the structure of the system.

Once this system has built a way to verify identities on a large scale and also create access between those identities and the access to platforms, it becomes a viable way for Governments to build and/or change that system and to change the laws and regulations that were originally created for one purpose or another. The same type of verification on a specific date in 2025 may have been created under one Government or political party, and then continued to exist in a way that people use it after there has been any political change that led to the verification being created.

In the past, Cryptographers have used this same argument about encryption. If you build a backdoor into a system, you can't create a backdoor that only good people will use. The backdoor is built into the system. Critics have long warned that surveillance measures starting with narrow justifications — like protecting children — historically expand into tools for monitoring dissent, profiling minorities, or suppressing free expression.

The same applies to age verification systems that have the ability to verify an individual's age based on a verified identifiable real-world person, linked to that individual's Account, and that are able to work with other platforms on that verified identifiable person's age. That is the same as a backdoor into a computer.

What Better Alternatives Look Like

Privacy-preserving age verification is technically possible without building a surveillance layer. Zero-knowledge proofs allow a user to prove they meet a condition — over 18, resident of a specific country — without revealing the underlying identity data. The verification happens; the identity doesn't transfer.

Several projects in the crypto and digital identity space have been working on exactly this for years. A research report from Aztec argues that the answers to the age assurance question lie not in laws that curtail civil liberties, but in novel technological solutions that enable robust identity verification while safeguarding personal information. The technical solutions exist. What they lack is political will from regulators who find them harder to audit and enforce than centralized systems.

Durov isn't wrong about the tradeoff being real. Whether the EU listens is a different question.

Child safety is a legitimate policy goal. The architecture chosen to pursue it matters enormously — and right now, the architecture on the table looks less like a privacy tool and more like a registry with good publicity.